Detect Credentials in IBM QRadar
Adversaries may gather credentials that can be used during targeting. Account credentials may be obtained via phishing for information, breach data dumps, dark web marketplaces (Russian Market, 2easy), infostealer malware logs distributed via Telegram channels, or by compromising websites to harvest authentication cookies. Gathered credentials enable credential stuffing attacks, account takeover via valid account abuse (T1078), and initial access via external remote services (T1133). Real-world actors including APT28, Magic Hound, LAPSUS$, Leviathan, and Chimera have leveraged previously gathered credentials to validate access across dozens to hundreds of organizational and third-party platforms.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1589 Gather Victim Identity Information
- Sub-technique
- T1589.001 Credentials
- Canonical reference
- https://attack.mitre.org/techniques/T1589/001/
QRadar Detection Query
SELECT
sourceip,
DATEFORMAT(devicetime/1000, 'yyyy-MM-dd HH:00:00') AS time_window,
COUNT(*) AS total_failures,
COUNT(DISTINCT username) AS unique_accounts,
MIN(DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss')) AS first_seen,
MAX(DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss')) AS last_seen,
LOGSOURCENAME(logsourceid) AS log_source
FROM events
WHERE LOGSOURCETYPEID = 12
AND eventid IN (4625, 4776)
AND sourceip IS NOT NULL
AND sourceip NOT IN ('127.0.0.1', '0:0:0:0:0:0:0:1', '::1')
AND username IS NOT NULL
AND username NOT IN ('', '-', 'ANONYMOUS LOGON', 'IUSR')
GROUP BY sourceip, DATEFORMAT(devicetime/1000, 'yyyy-MM-dd HH:00:00')
HAVING COUNT(DISTINCT username) >= 10
ORDER BY unique_accounts DESC
LAST 24 HOURSQRadar AQL query targeting Windows Security Event Log sources (LOGSOURCETYPEID 12) for logon failure events (4625: failed logon, 4776: NTLM credential validation failure). Aggregates by source IP and one-hour time window, applying a HAVING filter for 10 or more distinct targeted usernames — the primary indicator of credential stuffing activity using gathered credentials (T1589.001). LOGSOURCETYPEID 12 maps to Microsoft Windows Security Event Log in standard QRadar deployments.
Data Sources
Required Tables
False Positives & Tuning
- Domain controllers acting as Kerberos KDC or NTLM authentication proxies for jump server traffic, where all remote desktop authentication from a terminal services host appears under a single source IP
- Network access control (NAC) or 802.1X authentication systems that validate credentials for large numbers of endpoint devices from a centralized authentication proxy IP
- Vulnerability management platforms or SIEM correlation agents performing scheduled credential validation health checks that generate bursts of authentication failures across monitored accounts
Other platforms for T1589.001
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Credential Stuffing Against Local Web Application
Expected signal: Web application access logs showing 10+ POST requests to /auth/login from 127.0.0.1 with distinct username values. HTTP 401 or 403 response codes for each attempt. If web application authentication failures are forwarded to SIEM, Event ID 4625 or equivalent application authentication failure events will appear. Network connection events (Sysmon Event ID 3) showing connections to 127.0.0.1:8080 from the executing process.
- Test 2Generate Windows Authentication Failures Across Multiple Accounts
Expected signal: Windows Security Event ID 4625 (An account failed to log on) generated for each username attempt, with LogonType=3 (network logon), SubStatus=0xC000006A (wrong password) or 0xC0000064 (unknown username), and Workstation=the local machine. Event ID 4776 (NTLM credential validation) may also appear. All events from source address 127.0.0.1 or machine name. Domain controllers will log these if the host is domain-joined.
- Test 3LaZagne Credential Harvester Execution (Test Mode)
Expected signal: Sysmon Event ID 1: Process Create for lazagne_test.exe with parent powershell.exe. Sysmon Event ID 11: File Create events for lazagne_test.exe download and results file. Sysmon Event ID 10: Process Access events if LaZagne accesses browser processes or LSASS. DeviceFileEvents in MDE showing access to Chrome Login Data, Firefox logins.json, or similar browser credential database files. Windows Defender may alert on LaZagne execution via AMSI.
- Test 4Credential Exposure Check in Git Repository
Expected signal: Process creation events for python3/pip3/trufflehog3 execution. File read events across the repository directory tree as the scanner reads source code files. Network connections if trufflehog connects to entropy analysis services. On Linux with auditd enabled: execve syscall events for python3 with trufflehog3 arguments in audit.log.
- Test 5Azure AD Credential Stuffing Simulation via PowerShell
Expected signal: Azure AD SigninLogs entries for each username with ResultType=50126 (invalid credentials) or ResultType=50034 (user does not exist), IPAddress reflecting the executing machine's public IP, AppDisplayName='Microsoft Azure PowerShell' or similar, UserPrincipalName set to each test account. Events appear in SigninLogs within 5-15 minutes of execution.
References (13)
- https://attack.mitre.org/techniques/T1589/001/
- https://www.bleepingcomputer.com/news/security/2easy-now-a-significant-dark-web-marketplace-for-stolen-data/
- https://www.bleepingcomputer.com/news/security/dissecting-the-dark-web-supply-chain-stealer-logs-in-context/
- https://www.secureworks.com/research/the-growing-threat-from-infostealers
- https://sec.okta.com/scatterswine
- https://github.com/dxa4481/truffleHog
- https://github.com/michenriksen/gitrob
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
- https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table
- https://github.com/AlessandroZ/LaZagne
- https://msrc.microsoft.com/blog/2021/10/microsoft-s-response-to-dea-0537
- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
Unlock Pro Content
Get the full detection package for T1589.001 including response playbook, investigation guide, and atomic red team tests.